We help IT Professionals succeed at work.

Windows DNS resolution

84 Views
Last Modified: 2017-11-08
Greetings all,

I have a web domain with hundreds of A records in it.  There are about 10 sites that computers within my AD domain need to access via the site's internal DMZ IP's instead the public IP's.  I know I can do this by creating a new DNS zone in AD and adding the A records for those particular sites to point to the DMZ addresses.  I tried it and it works, but it breaks the other 290 sites that still need to resolve to the public IP's as there is no records for them in the internal DNS zone.  Is there a way that I can configure the new zone to only resolve the 10 A records in question and forward all of the other queries for that domain to the public DNS?  I'd really like to not have to maintain all 300 A records in 2 different places if I don't have to.
Comment
Watch Question

CERTIFIED EXPERT
Top Expert 2014
Commented:
Unlock this solution and get a sample of our free trial.
(No credit card required)
UNLOCK SOLUTION
When you as updating the A record to point to the internal IP breaks the other sites, can you explain? Do all sites reference one and other.

What you are looking to do is command and called Split-Brain DNS
CERTIFIED EXPERT
Commented:
Unlock this solution and get a sample of our free trial.
(No credit card required)
UNLOCK SOLUTION
CERTIFIED EXPERT
Top Expert 2014

Commented:
I've heard the term split-DNS (which I prefer), split-brain DNS, and split-horizon DNS, but never shadow DNS.
Split DNS is just the result of having different DNS information for the same domain in different locations (typically public vs. internal) - there's no question of being supported as it's a perfectly valid way to provide DNS information.

Many firewalls will not allow traffic that comes in on one interface to contact another interface.  Yours may, or may not.  I'm not convinced that one way or the other is "cleaner" - so I'll leave that judgement up to you.

You'd need a pretty sophisticated DNS package from your public DNS provider to be able to set up rules which would return internal IPs to clients on your network and public IPs to other clients.  To be honest, I've never even considered it before.  Let's say your public DNS was served by MS DNS servers - the subnet prioritization feature on MS's DNS servers would not be enough to handle all that (it could work for internal clients, depending on your network structure, but I'm certain that public/internet clients would get internal IPs at least some of the time).
CERTIFIED EXPERT

Commented:
I've heard the term split-DNS (which I prefer), split-brain DNS, and split-horizon DNS, but never shadow DNS.

they are 2 different things : a shadow zone possesses own records and will use records from a separate server or zone for other records, so you basically maintain a single zone and just override a few entries. it is possible that ms's dns can achieve this through some kind of dns delegation i'm not aware of.

note that a small dns forwarder for the local network would do the trick easily. use unbound or dnsmasq for such tasks.

You'd need a pretty sophisticated DNS package from your public DNS provider to be able to set up rules which would return internal IPs to clients on your network and public IPs to other clients

we're talking about a private server here. this feature is native to many/most dns implementations. additionally they feature either rulesets or builtin protections so handing lan addresses to wan clients does not happen. i'm unsure about ms's though. dns prioritisation is not enough to make this work properly

... which is why i believe allowing the wan address to be queriable from the lan might be easier and would produce a cleaner result in the end.
CERTIFIED EXPERT
Top Expert 2014

Commented:
Interesting.  I'm very familiar with the capabilities of MS DNS servers, and from what you've described this is not possible with them (at least up to and including Server 2012 R2 - I think I've heard mention of something similar in Server 2016 but I've yet to investigate).

Whether the firewall solution is possible depends entirely on the firewall.
CERTIFIED EXPERT
Top Expert 2014

Commented:
Solution provided in #42059993 is common to resolve the issue.
#42065149 is an alternative.
Unlock the solution to this question.
Thanks for using Experts Exchange.

Please provide your email to receive a sample view!

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.